Much focus has been given to the technical aspects of GDPR, but assuming implementation and management will fall to IT and compliance is incorrect. From an internal and employee data perspective, it will be the HR department tasked with making GDPR a success.
An exercise in communication
A recent survey suggests HR is still a divided profession when it comes to GDPR. Almost half (44%) of the 1,800 HR and payroll professionals surveyed did not even know what GDPR was.
For those that did, however, 81% feel that they will be ready to manage the changes when they come into force in May 2018. The majority of these professionals are working in collaboration with other departments to ensure preparedness for the new regulation.
>See also: You can spell “compliance” without UC – but should you?
GDPR will require significant changes to employee data and privacy processes. Whilst IT is playing a leading role in the implementation of GDPR throughout the whole business, responsibility for managing employee data falls to the HR department.
GDPR is an exercise in communication, as much as it is compliance. HR will need to work closely with IT, to ensure both are ready for the new regulation, and with employees to ensure a smooth transition to the new framework.
Working with employees
HR will need to work with employees to ensure everyone is aligned with the new GDPR framework. Central to this will be the shift in how HR handles employee consent. A simple sentence or paragraph in an employee contract will no longer be enough; employees will need to be explicit with their consent. They will need to know how the organisation intends to store, control and manage their data, and this will need to be detailed in a separate document. Employees will need to sign it – either physically or digitally. Without this, organisations risk severe penalties for unlawful processing of data.
Formalising this process serves two purposes. Primarily, it means the organisation needs to achieve compliance with the required standard. But this also acts as an engagement tool, demonstrating to employees that the organisation wants them to know exactly how their data will be treated, and what they are consenting to.
>See also: Proposal for new ePrivacy Regulation: what’s different?
This is an area where HR will need to work more closely with IT to understand where data may travel or reside – for example, if it leaves the country – and how employees can access and view it. This insight allows HR to communicate accurately to employees how their data will be handled, with valid and understandable reasons about why it is treated in this way, as well as where it will be used and stored.
Employees are unlikely to sign something they do not understand, and it falls to the HR department – with input from IT – to explain employee rights regarding GDPR in a clear, accessible way.
A new right of way
Bringing employees into the conversation early and offering a clear policy will be crucial to reducing the ‘floodgate’ risk of employee requests once GDPR comes into force. GDPR confers many new rights on employees, giving them more power over their privacy and how their data is controlled.
Organisations will need to be prepared to handle employee requests such as access requests, data rectification rights, and the right to be forgotten. The challenge will be ensuring both the right systems are in place and the right policies. HR needs to be organised when it comes to the new processes it will need to manage, and the potential for an increase in employee data requests.
>See also: GDPR uncertainty and confusion remains
Many companies will already have some experience in handling these processes, but it is likely these will become far more involved post-GDPR. Organisations will need well thought-out procedures and systems in place to allow HR teams to smoothly handle employee requests without using up too much time or manpower. This will again involve collaboration with IT – to ensure the right systems are in place – and employee communication to reduce the likelihood of unnecessary data requests once the new regulation is in force.
Ongoing training for continued success
Compliance training will be fundamental to GDPR best practice over the coming years. The regulation is a huge overhaul of data protection legislation, and regulators will be looking to make examples. A comprehensive, ongoing training programme will help organisations mitigate the legal, financial and reputational risks associated with non-compliance.
A structured training programme serves two purposes. It will ensure employees are aware of how GDPR regulates personal data management and the individual responsibilities associated with their role, while also increasing accountability throughout the organisation.
Employees need to be mindful of potential compliance impacts when making decisions, particularly those involving the handling of sensitive data. A one off training session will not be enough; companies will need to introduce a comprehensive, ongoing training strategy to address the long-term changes GDPR will bring.
>See also: The hidden opportunities in GDPR
From HR to GDPR
HR as a profession has moved significantly from the simple personnel administration of the past, and GDPR takes the profession even further away from its traditional marketplace. The best way for HR to manage this transition is through technology, detailed planning and increased collaboration with other departments. GDPR will see HR working more closely with IT than ever before, as both departments address the big challenge: how to effectively protect data as efficiently as possible.
Sourced by Steve Wainwright, managing director, EMEA, Skillsoft